Oracle PeopleSoft zero-day hits over 100 organisations

Oracle has warned corporate customers about a critical vulnerability in its PeopleSoft software that security researchers say has been used to breach more than 100 organisations. The flaw, disclosed in an Oracle advisory cited by TechCrunch, can be exploited over the internet without authentication, turning a common HR and payroll system into a remote entry point.

According to TechCrunch, the hacking group ShinyHunters told the publication it had compromised organisations by abusing an unpatched PeopleSoft zero-day. Mandiant, Google’s security unit, said the bug described by Oracle matches the one ShinyHunters used, and said it had notified more than 100 global organisations—mostly in the United States—about exposure. About two-thirds of the organisations Mandiant contacted were in higher education, a sector that tends to run sprawling IT estates with many semi-autonomous departments and long patch cycles.

The immediate problem is not that PeopleSoft exists, but that it sits where the most valuable identity and personal data accumulates. ShinyHunters has positioned itself as a data-theft and extortion operation: steal records, publish samples, and pressure victims to pay to keep the rest offline. In this campaign, the group claimed to have obtained large volumes of student data—names, addresses, contact details and other fields—before posting material to its leak site. Even when an institution blocks an intrusion quickly, the incentive is to keep the incident quiet until lawyers and communications teams align, which can leave other users of the same software guessing whether they are next.

Oracle, for its part, recommended mitigations while a patch was not yet available at the time of TechCrunch’s report. That leaves customers in the familiar position of paying for enterprise software and still having to build their own compensating controls—network restrictions, monitoring, emergency configuration changes—while attackers move faster than change-management boards. Universities and other large employers often keep these systems online for remote access by staff and students, and the PeopleSoft ecosystem typically includes integrations with identity providers, finance systems and third-party portals that widen the blast radius.

ShinyHunters has targeted multiple widely used platforms in recent campaigns, according to TechCrunch, including Salesforce, Gainsight and software from education company Instructure. Instructure paid hackers after two breaches earlier this year, illustrating the market’s bluntest feedback loop: once data is stolen, the cost of refusing to pay is borne by the victim’s users, while the cost of paying is borne by future victims.

Oracle’s advisory arrived after organisations were already being contacted by Mandiant and after stolen data had begun appearing online. For many PeopleSoft customers, the first confirmation that their HR system was a live target may be the traffic logs they did not know they needed to keep.